From 74e7574120b3ab8057f1bd00d3a812dcac102f0d Mon Sep 17 00:00:00 2001 From: Geaaru Date: Sun, 29 Jan 2017 19:03:55 +0100 Subject: [PATCH] [lxc-sabayon] Add common scripts for daily image generation. Signed-off-by: Geaaru --- config/templates/Makefile.am | 2 + config/templates/sabayon.common.conf.in | 77 +++++++++++++++++++++++++ config/templates/sabayon.userns.conf.in | 2 + configure.ac | 2 + templates/lxc-sabayon.in | 66 ++++++++++----------- 5 files changed, 112 insertions(+), 37 deletions(-) create mode 100644 config/templates/sabayon.common.conf.in create mode 100644 config/templates/sabayon.userns.conf.in diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am index 86b47d666..387c7a1d7 100644 --- a/config/templates/Makefile.am +++ b/config/templates/Makefile.am @@ -40,4 +40,6 @@ templatesconfig_DATA = \ sparclinux.userns.conf \ voidlinux.common.conf \ voidlinux.userns.conf \ + sabayon.common.conf \ + sabayon.userns.conf \ userns.conf diff --git a/config/templates/sabayon.common.conf.in b/config/templates/sabayon.common.conf.in new file mode 100644 index 000000000..09511a27f --- /dev/null +++ b/config/templates/sabayon.common.conf.in @@ -0,0 +1,77 @@ +# Default configuration for Sabayon containers + +# Setup the default mounts +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed + +# Allow for 1024 pseudo terminals +lxc.pts = 1024 + +# Setup 1 tty devices for lxc-console command +lxc.tty = 1 + +# Needed for systemd distro +lxc.autodev = 1 + +# Doesn't support consoles in /dev/lxc/ +lxc.devttydir = + +# CGroup whitelist +lxc.cgroup.devices.deny = a + +## Allow any mknod (but not reading/writing the node) +#lxc.cgroup.devices.allow = c *:* m +#lxc.cgroup.devices.allow = b *:* m + +## Allow specific devices +### /dev/null +lxc.cgroup.devices.allow = c 1:3 rwm +### /dev/zero +lxc.cgroup.devices.allow = c 1:5 rwm +### /dev/full +lxc.cgroup.devices.allow = c 1:7 rwm +### /dev/random +lxc.cgroup.devices.allow = c 1:8 rwm +### /dev/urandom +lxc.cgroup.devices.allow = c 1:9 rwm +### /dev/pts/* +#lxc.cgroup.devices.allow = c 136:* rwm +### /dev/tty +#lxc.cgroup.devices.allow = c 5:0 rwm +### /dev/console +#lxc.cgroup.devices.allow = c 5:1 rwm +### /dev/ptmx +#lxc.cgroup.devices.allow = c 5:2 rwm +### fuse +#lxc.cgroup.devices.allow = c 10:229 rwm +## To use loop devices, copy the following line to the container's +## configuration file (uncommented). +#lxc.cgroup.devices.allow = b 7:* rwm +## rtc +#lxc.cgroup.devices.allow = c 254:0 rm +## tun +#lxc.cgroup.devices.allow = c 10:200 rwm +## hpet +#lxc.cgroup.devices.allow = c 10:228 rwm +## kvm +#lxc.cgroup.devices.allow = c 10:232 rwm + +# If something doesn't work, try to comment this out. +# Dropping sys_admin disables container root from doing a lot of things +# that could be bad like re-mounting lxc fstab entries rw for example, +# but also disables some useful things like being able to nfs mount, and +# things that are already namespaced with ns_capable() kernel checks, like +# hostname(1). +lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override +#lxc.cap.drop = sys_admin + + +# /dev/shm needs to be mounted as tmpfs. It's needed by python (bug #496328) +# and possibly other packages. +lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir + +# Blacklist some syscalls which are not safe in privileged +# containers +lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp + +# Customize lxc options through common directory +lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/ diff --git a/config/templates/sabayon.userns.conf.in b/config/templates/sabayon.userns.conf.in new file mode 100644 index 000000000..707bb30c0 --- /dev/null +++ b/config/templates/sabayon.userns.conf.in @@ -0,0 +1,2 @@ +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf diff --git a/configure.ac b/configure.ac index 066b0c953..612ca46bd 100644 --- a/configure.ac +++ b/configure.ac @@ -745,6 +745,8 @@ AC_CONFIG_FILES([ config/templates/sparclinux.userns.conf config/templates/voidlinux.common.conf config/templates/voidlinux.userns.conf + config/templates/sabayon.common.conf + config/templates/sabayon.userns.conf config/templates/userns.conf config/yum/Makefile config/sysconfig/Makefile diff --git a/templates/lxc-sabayon.in b/templates/lxc-sabayon.in index 4c9adbcb2..675542b9b 100644 --- a/templates/lxc-sabayon.in +++ b/templates/lxc-sabayon.in @@ -49,7 +49,6 @@ http://ftp.surfnet.nl/pub/os/Linux/distr/sabayonlinux/ http://mirror.internode.on.net/pub/sabayon/ http://mirror.yandex.ru/sabayon/ http://sabayon.c3sl.ufpr.br/ -http://mirror.umd.edu/sabayonlinux/ http://mirror.clarkson.edu/sabayon/ http://na.mirror.garr.it/mirrors/sabayonlinux/" @@ -217,15 +216,6 @@ EOF # Disable mount of hugepages ln -s /dev/null dev-hugepages.mount - # Fix TERM variable for container console - mkdir container-getty\@0.service.d - cat < container-getty\@0.service.d/00gentoo.conf -[Service] -Environment=TERM= -Environment=TERM=linux -EOF - - popd pushd ${rootfs} @@ -265,6 +255,21 @@ systemd_container_tuning () { # Remove LVM service. Normally not needed on container system. rm -rf ${rootfs}/etc/systemd/system/sysinit.target.wants/lvm2-lvmetad.service + # Comment unneeded entry on /etc/fstab + sed -e 's/\/dev/#\/dev/g' -i ${rootfs}/etc/fstab + + # Fix this stupid error until fix is available on sabayon image + # /usr/lib/systemd/system-generators/gentoo-local-generator: line 4: cd: /etc/local.d: No such file or directory + mkdir ${rootfs}/etc/local.d/ + + # Fix TERM variable for container console + mkdir container-getty\@0.service.d + cat < container-getty\@0.service.d/00gentoo.conf +[Service] +Environment=TERM= +Environment=TERM=linux +EOF + return 0 } @@ -277,31 +282,31 @@ configure_container() { if [[ $unprivileged && $unprivileged == true ]] ; then unprivileged_options=" -lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed - -# Enable tty console for lxc-console command -lxc.tty = 1 - lxc.id_map = u 0 ${mapped_uid} 65536 lxc.id_map = g 0 ${mapped_gid} 65536 + +# Include common configuration. +lxc.include = $LXC_TEMPLATE_CONFIG/sabayon.userns.conf + " else privileged_options=" -lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed -lxc.cgroup.devices.deny = a +## Allow any mknod (but not reading/writing the node) lxc.cgroup.devices.allow = b *:* m lxc.cgroup.devices.allow = c *:* m + +### /dev/pts/* lxc.cgroup.devices.allow = c 136:* rwm -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -lxc.cgroup.devices.allow = c 1:7 rwm -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 1:9 rwm +### /dev/tty lxc.cgroup.devices.allow = c 5:0 rwm +### /dev/console lxc.cgroup.devices.allow = c 5:1 rwm +### /dev/ptmx lxc.cgroup.devices.allow = c 5:2 rwm +### fuse lxc.cgroup.devices.allow = c 10:229 rwm + " fi @@ -312,24 +317,11 @@ lxc.arch = $arch # Set hostname. lxc.utsname = $hostname -# If something doesn't work, try to comment this out. -# Dropping sys_admin disables container root from doing a lot of things -# that could be bad like re-mounting lxc fstab entries rw for example, -# but also disables some useful things like being able to nfs mount, and -# things that are already namespaced with ns_capable() kernel checks, like -# hostname(1). -lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override -#lxc.cap.drop = sys_admin - -lxc.autodev = 1 -lxc.pts = 1024 +# Include common configuration. +lxc.include = $LXC_TEMPLATE_CONFIG/sabayon.common.conf $unprivileged_options $privileged_options - -# Customize lxc options through common directory -lxc.include = /usr/share/lxc/config/common.conf.d/ - EOF } -- 2.47.2